## API Report File for "@backstage/plugin-auth-backend"

> Do not edit this file. It is a report generated by [API Extractor](https://api-extractor.com/).

```ts
import { AuthProviderConfig as AuthProviderConfig_2 } from '@backstage/plugin-auth-node';
import { AuthProviderFactory as AuthProviderFactory_2 } from '@backstage/plugin-auth-node';
import { AuthProviderRouteHandlers as AuthProviderRouteHandlers_2 } from '@backstage/plugin-auth-node';
import { AuthResolverCatalogUserQuery as AuthResolverCatalogUserQuery_2 } from '@backstage/plugin-auth-node';
import { AuthResolverContext as AuthResolverContext_2 } from '@backstage/plugin-auth-node';
import { AwsAlbResult as AwsAlbResult_2 } from '@backstage/plugin-auth-backend-module-aws-alb-provider';
import { BackendFeature } from '@backstage/backend-plugin-api';
import { BackstageSignInResult } from '@backstage/plugin-auth-node';
import { CacheService } from '@backstage/backend-plugin-api';
import { CatalogApi } from '@backstage/catalog-client';
import { ClientAuthResponse } from '@backstage/plugin-auth-node';
import { Config } from '@backstage/config';
import { CookieConfigurer as CookieConfigurer_2 } from '@backstage/plugin-auth-node';
import { decodeOAuthState } from '@backstage/plugin-auth-node';
import { encodeOAuthState } from '@backstage/plugin-auth-node';
import { Entity } from '@backstage/catalog-model';
import express from 'express';
import { GcpIapResult as GcpIapResult_2 } from '@backstage/plugin-auth-backend-module-gcp-iap-provider';
import { GcpIapTokenInfo as GcpIapTokenInfo_2 } from '@backstage/plugin-auth-backend-module-gcp-iap-provider';
import { LoggerService } from '@backstage/backend-plugin-api';
import { OAuth2ProxyResult as OAuth2ProxyResult_2 } from '@backstage/plugin-auth-backend-module-oauth2-proxy-provider';
import { OAuthEnvironmentHandler as OAuthEnvironmentHandler_2 } from '@backstage/plugin-auth-node';
import { OAuthState as OAuthState_2 } from '@backstage/plugin-auth-node';
import { OidcAuthResult as OidcAuthResult_2 } from '@backstage/plugin-auth-backend-module-oidc-provider';
import { PluginDatabaseManager } from '@backstage/backend-common';
import { PluginEndpointDiscovery } from '@backstage/backend-common';
import { prepareBackstageIdentityResponse as prepareBackstageIdentityResponse_2 } from '@backstage/plugin-auth-node';
import { Profile } from 'passport';
import { ProfileInfo as ProfileInfo_2 } from '@backstage/plugin-auth-node';
import { SignInInfo as SignInInfo_2 } from '@backstage/plugin-auth-node';
import { SignInResolver as SignInResolver_2 } from '@backstage/plugin-auth-node';
import { TokenManager } from '@backstage/backend-common';
import { TokenParams as TokenParams_2 } from '@backstage/plugin-auth-node';
import { UserEntity } from '@backstage/catalog-model';
import { WebMessageResponse as WebMessageResponse_2 } from '@backstage/plugin-auth-node';

// @public @deprecated
export type AuthHandler<TAuthResult> = (
  input: TAuthResult,
  context: AuthResolverContext_2,
) => Promise<AuthHandlerResult>;

// @public @deprecated
export type AuthHandlerResult = {
  profile: ProfileInfo_2;
};

// @public
const authPlugin: () => BackendFeature;
export default authPlugin;

// @public @deprecated (undocumented)
export type AuthProviderConfig = AuthProviderConfig_2;

// @public @deprecated (undocumented)
export type AuthProviderFactory = AuthProviderFactory_2;

// @public @deprecated (undocumented)
export type AuthProviderRouteHandlers = AuthProviderRouteHandlers_2;

// @public @deprecated (undocumented)
export type AuthResolverCatalogUserQuery = AuthResolverCatalogUserQuery_2;

// @public @deprecated (undocumented)
export type AuthResolverContext = AuthResolverContext_2;

// @public @deprecated (undocumented)
export type AuthResponse<TProviderInfo> = ClientAuthResponse<TProviderInfo>;

// @public @deprecated
export type AwsAlbResult = AwsAlbResult_2;

// @public (undocumented)
export type BitbucketOAuthResult = {
  fullProfile: BitbucketPassportProfile;
  params: {
    id_token?: string;
    scope: string;
    expires_in: number;
  };
  accessToken: string;
  refreshToken?: string;
};

// @public (undocumented)
export type BitbucketPassportProfile = Profile & {
  id?: string;
  displayName?: string;
  username?: string;
  avatarUrl?: string;
  _json?: {
    links?: {
      avatar?: {
        href?: string;
      };
    };
  };
};

// @public (undocumented)
export type BitbucketServerOAuthResult = {
  fullProfile: Profile;
  params: {
    scope: string;
    access_token?: string;
    token_type?: string;
    expires_in?: number;
  };
  accessToken: string;
  refreshToken?: string;
};

// @public
export class CatalogIdentityClient {
  constructor(options: { catalogApi: CatalogApi; tokenManager: TokenManager });
  findUser(query: { annotations: Record<string, string> }): Promise<UserEntity>;
  resolveCatalogMembership(query: {
    entityRefs: string[];
    logger?: LoggerService;
  }): Promise<string[]>;
}

// @public
export type CloudflareAccessClaims = {
  aud: string[];
  email: string;
  exp: number;
  iat: number;
  nonce: string;
  identity_nonce: string;
  sub: string;
  iss: string;
  custom: string;
};

// @public
export type CloudflareAccessGroup = {
  id: string;
  name: string;
  email: string;
};

// @public
export type CloudflareAccessIdentityProfile = {
  id: string;
  name: string;
  email: string;
  groups: CloudflareAccessGroup[];
};

// @public (undocumented)
export type CloudflareAccessResult = {
  claims: CloudflareAccessClaims;
  cfIdentity: CloudflareAccessIdentityProfile;
  expiresInSeconds?: number;
  token: string;
};

// @public @deprecated (undocumented)
export type CookieConfigurer = CookieConfigurer_2;

// @public
export function createAuthProviderIntegration<
  TCreateOptions extends unknown[],
  TResolvers extends {
    [name in string]: (...args: any[]) => SignInResolver_2<any>;
  },
>(config: {
  create: (...args: TCreateOptions) => AuthProviderFactory_2;
  resolvers?: TResolvers;
}): Readonly<{
  create: (...args: TCreateOptions) => AuthProviderFactory_2;
  resolvers: Readonly<string extends keyof TResolvers ? never : TResolvers>;
}>;

// @public (undocumented)
export function createOriginFilter(config: Config): (origin: string) => boolean;

// @public (undocumented)
export function createRouter(options: RouterOptions): Promise<express.Router>;

// @public
export const defaultAuthProviderFactories: {
  [providerId: string]: AuthProviderFactory_2;
};

// @public (undocumented)
export type EasyAuthResult = {
  fullProfile: Profile;
  accessToken?: string;
};

// @public @deprecated (undocumented)
export const encodeState: typeof encodeOAuthState;

// @public @deprecated (undocumented)
export const ensuresXRequestedWith: (req: express.Request) => boolean;

// @public @deprecated
export type GcpIapResult = GcpIapResult_2;

// @public @deprecated
export type GcpIapTokenInfo = GcpIapTokenInfo_2;

// @public
export function getDefaultOwnershipEntityRefs(entity: Entity): string[];

// @public (undocumented)
export type GithubOAuthResult = {
  fullProfile: Profile;
  params: {
    scope: string;
    expires_in?: string;
    refresh_token_expires_in?: string;
  };
  accessToken: string;
  refreshToken?: string;
};

// @public @deprecated (undocumented)
export type OAuth2ProxyResult = OAuth2ProxyResult_2;

// @public @deprecated (undocumented)
export class OAuthAdapter implements AuthProviderRouteHandlers_2 {
  constructor(handlers: OAuthHandlers, options: OAuthAdapterOptions);
  // (undocumented)
  frameHandler(req: express.Request, res: express.Response): Promise<void>;
  // (undocumented)
  static fromConfig(
    config: AuthProviderConfig_2,
    handlers: OAuthHandlers,
    options: Pick<
      OAuthAdapterOptions,
      'providerId' | 'persistScopes' | 'callbackUrl'
    >,
  ): OAuthAdapter;
  // (undocumented)
  logout(req: express.Request, res: express.Response): Promise<void>;
  // (undocumented)
  refresh(req: express.Request, res: express.Response): Promise<void>;
  // (undocumented)
  start(req: express.Request, res: express.Response): Promise<void>;
}

// @public @deprecated (undocumented)
export type OAuthAdapterOptions = {
  providerId: string;
  persistScopes?: boolean;
  appOrigin: string;
  baseUrl: string;
  cookieConfigurer: CookieConfigurer_2;
  isOriginAllowed: (origin: string) => boolean;
  callbackUrl: string;
};

// @public @deprecated (undocumented)
export const OAuthEnvironmentHandler: typeof OAuthEnvironmentHandler_2;

// @public @deprecated (undocumented)
export interface OAuthHandlers {
  handler(req: express.Request): Promise<{
    response: OAuthResponse;
    refreshToken?: string;
  }>;
  logout?(req: OAuthLogoutRequest): Promise<void>;
  refresh?(req: OAuthRefreshRequest): Promise<{
    response: OAuthResponse;
    refreshToken?: string;
  }>;
  start(req: OAuthStartRequest): Promise<OAuthStartResponse>;
}

// @public @deprecated (undocumented)
export type OAuthLogoutRequest = express.Request<{}> & {
  refreshToken: string;
};

// @public @deprecated (undocumented)
export type OAuthProviderInfo = {
  accessToken: string;
  idToken?: string;
  expiresInSeconds?: number;
  scope: string;
};

// @public @deprecated
export type OAuthProviderOptions = {
  clientId: string;
  clientSecret: string;
  callbackUrl: string;
};

// @public @deprecated (undocumented)
export type OAuthRefreshRequest = express.Request<{}> & {
  scope: string;
  refreshToken: string;
};

// @public @deprecated (undocumented)
export type OAuthResponse = {
  profile: ProfileInfo_2;
  providerInfo: OAuthProviderInfo;
  backstageIdentity?: BackstageSignInResult;
};

// @public @deprecated (undocumented)
export type OAuthResult = {
  fullProfile: Profile;
  params: {
    id_token?: string;
    scope: string;
    token_type?: string;
    expires_in: number;
  };
  accessToken: string;
  refreshToken?: string;
};

// @public @deprecated (undocumented)
export type OAuthStartRequest = express.Request<{}> & {
  scope: string;
  state: OAuthState;
};

// @public @deprecated (undocumented)
export type OAuthStartResponse = {
  url: string;
  status?: number;
};

// @public @deprecated (undocumented)
export type OAuthState = OAuthState_2;

// @public @deprecated (undocumented)
export type OidcAuthResult = OidcAuthResult_2;

// @public @deprecated (undocumented)
export const postMessageResponse: (
  res: express.Response,
  appOrigin: string,
  response: WebMessageResponse,
) => void;

// @public @deprecated (undocumented)
export const prepareBackstageIdentityResponse: typeof prepareBackstageIdentityResponse_2;

// @public @deprecated (undocumented)
export type ProfileInfo = ProfileInfo_2;

// @public (undocumented)
export type ProviderFactories = {
  [s: string]: AuthProviderFactory_2;
};

// @public
export const providers: Readonly<{
  atlassian: Readonly<{
    create: (
      options?:
        | {
            authHandler?: AuthHandler<OAuthResult> | undefined;
            signIn?:
              | {
                  resolver: SignInResolver_2<OAuthResult>;
                }
              | undefined;
          }
        | undefined,
    ) => AuthProviderFactory_2;
    resolvers: never;
  }>;
  auth0: Readonly<{
    create: (
      options?:
        | {
            authHandler?: AuthHandler<OAuthResult> | undefined;
            signIn?:
              | {
                  resolver: SignInResolver_2<OAuthResult>;
                }
              | undefined;
          }
        | undefined,
    ) => AuthProviderFactory_2;
    resolvers: never;
  }>;
  awsAlb: Readonly<{
    create: (
      options?:
        | {
            authHandler?: AuthHandler<AwsAlbResult_2> | undefined;
            signIn: {
              resolver: SignInResolver_2<AwsAlbResult_2>;
            };
          }
        | undefined,
    ) => AuthProviderFactory_2;
    resolvers: never;
  }>;
  bitbucket: Readonly<{
    create: (
      options?:
        | {
            authHandler?: AuthHandler<OAuthResult> | undefined;
            signIn?:
              | {
                  resolver: SignInResolver_2<OAuthResult>;
                }
              | undefined;
          }
        | undefined,
    ) => AuthProviderFactory_2;
    resolvers: Readonly<{
      usernameMatchingUserEntityAnnotation(): SignInResolver_2<OAuthResult>;
      userIdMatchingUserEntityAnnotation(): SignInResolver_2<OAuthResult>;
    }>;
  }>;
  bitbucketServer: Readonly<{
    create: (
      options?:
        | {
            authHandler?: AuthHandler<BitbucketServerOAuthResult> | undefined;
            signIn?:
              | {
                  resolver: SignInResolver_2<BitbucketServerOAuthResult>;
                }
              | undefined;
          }
        | undefined,
    ) => AuthProviderFactory_2;
    resolvers: Readonly<{
      emailMatchingUserEntityProfileEmail: () => SignInResolver_2<BitbucketServerOAuthResult>;
    }>;
  }>;
  cfAccess: Readonly<{
    create: (options: {
      authHandler?: AuthHandler<CloudflareAccessResult> | undefined;
      signIn: {
        resolver: SignInResolver_2<CloudflareAccessResult>;
      };
      cache?: CacheService | undefined;
    }) => AuthProviderFactory_2;
    resolvers: Readonly<{
      emailMatchingUserEntityProfileEmail: () => SignInResolver_2<unknown>;
    }>;
  }>;
  gcpIap: Readonly<{
    create: (options: {
      authHandler?: AuthHandler<GcpIapResult_2> | undefined;
      signIn: {
        resolver: SignInResolver_2<GcpIapResult_2>;
      };
    }) => AuthProviderFactory_2;
    resolvers: never;
  }>;
  github: Readonly<{
    create: (
      options?:
        | {
            authHandler?: AuthHandler<GithubOAuthResult> | undefined;
            signIn?:
              | {
                  resolver: SignInResolver_2<GithubOAuthResult>;
                }
              | undefined;
            stateEncoder?: StateEncoder | undefined;
          }
        | undefined,
    ) => AuthProviderFactory_2;
    resolvers: Readonly<{
      usernameMatchingUserEntityName: () => SignInResolver_2<GithubOAuthResult>;
    }>;
  }>;
  gitlab: Readonly<{
    create: (
      options?:
        | {
            authHandler?: AuthHandler<OAuthResult> | undefined;
            signIn?:
              | {
                  resolver: SignInResolver_2<OAuthResult>;
                }
              | undefined;
          }
        | undefined,
    ) => AuthProviderFactory_2;
    resolvers: never;
  }>;
  google: Readonly<{
    create: (
      options?:
        | {
            authHandler?: AuthHandler<OAuthResult> | undefined;
            signIn?:
              | {
                  resolver: SignInResolver_2<OAuthResult>;
                }
              | undefined;
          }
        | undefined,
    ) => AuthProviderFactory_2;
    resolvers: Readonly<{
      emailMatchingUserEntityProfileEmail: () => SignInResolver_2<OAuthResult>;
      emailLocalPartMatchingUserEntityName: () => SignInResolver_2<OAuthResult>;
      emailMatchingUserEntityAnnotation: () => SignInResolver_2<OAuthResult>;
    }>;
  }>;
  microsoft: Readonly<{
    create: (
      options?:
        | {
            authHandler?: AuthHandler<OAuthResult> | undefined;
            signIn?:
              | {
                  resolver: SignInResolver_2<OAuthResult>;
                }
              | undefined;
          }
        | undefined,
    ) => AuthProviderFactory_2;
    resolvers: Readonly<{
      emailMatchingUserEntityProfileEmail: () => SignInResolver_2<OAuthResult>;
      emailLocalPartMatchingUserEntityName: () => SignInResolver_2<OAuthResult>;
      emailMatchingUserEntityAnnotation: () => SignInResolver_2<OAuthResult>;
    }>;
  }>;
  oauth2: Readonly<{
    create: (
      options?:
        | {
            authHandler?: AuthHandler<OAuthResult> | undefined;
            signIn?:
              | {
                  resolver: SignInResolver_2<OAuthResult>;
                }
              | undefined;
          }
        | undefined,
    ) => AuthProviderFactory_2;
    resolvers: never;
  }>;
  oauth2Proxy: Readonly<{
    create: (options: {
      authHandler?: AuthHandler<OAuth2ProxyResult_2> | undefined;
      signIn: {
        resolver: SignInResolver_2<OAuth2ProxyResult_2>;
      };
    }) => AuthProviderFactory_2;
    resolvers: never;
  }>;
  oidc: Readonly<{
    create: (
      options?:
        | {
            authHandler?: AuthHandler<OidcAuthResult_2> | undefined;
            signIn?:
              | {
                  resolver: SignInResolver_2<OidcAuthResult_2>;
                }
              | undefined;
          }
        | undefined,
    ) => AuthProviderFactory_2;
    resolvers: Readonly<{
      emailLocalPartMatchingUserEntityName: () => SignInResolver_2<unknown>;
      emailMatchingUserEntityProfileEmail: () => SignInResolver_2<unknown>;
    }>;
  }>;
  okta: Readonly<{
    create: (
      options?:
        | {
            authHandler?: AuthHandler<OAuthResult> | undefined;
            signIn?:
              | {
                  resolver: SignInResolver_2<OAuthResult>;
                }
              | undefined;
          }
        | undefined,
    ) => AuthProviderFactory_2;
    resolvers: Readonly<{
      emailLocalPartMatchingUserEntityName: () => SignInResolver_2<unknown>;
      emailMatchingUserEntityProfileEmail: () => SignInResolver_2<unknown>;
      emailMatchingUserEntityAnnotation(): SignInResolver_2<OAuthResult>;
    }>;
  }>;
  onelogin: Readonly<{
    create: (
      options?:
        | {
            authHandler?: AuthHandler<OAuthResult> | undefined;
            signIn?:
              | {
                  resolver: SignInResolver_2<OAuthResult>;
                }
              | undefined;
          }
        | undefined,
    ) => AuthProviderFactory_2;
    resolvers: never;
  }>;
  saml: Readonly<{
    create: (
      options?:
        | {
            authHandler?: AuthHandler<SamlAuthResult> | undefined;
            signIn?:
              | {
                  resolver: SignInResolver_2<SamlAuthResult>;
                }
              | undefined;
          }
        | undefined,
    ) => AuthProviderFactory_2;
    resolvers: Readonly<{
      nameIdMatchingUserEntityName(): SignInResolver_2<SamlAuthResult>;
    }>;
  }>;
  easyAuth: Readonly<{
    create: (
      options?:
        | {
            authHandler?: AuthHandler<EasyAuthResult> | undefined;
            signIn: {
              resolver: SignInResolver_2<EasyAuthResult>;
            };
          }
        | undefined,
    ) => AuthProviderFactory_2;
    resolvers: never;
  }>;
}>;

// @public @deprecated (undocumented)
export const readState: typeof decodeOAuthState;

// @public (undocumented)
export interface RouterOptions {
  // (undocumented)
  catalogApi?: CatalogApi;
  // (undocumented)
  config: Config;
  // (undocumented)
  database: PluginDatabaseManager;
  // (undocumented)
  disableDefaultProviderFactories?: boolean;
  // (undocumented)
  discovery: PluginEndpointDiscovery;
  // (undocumented)
  logger: LoggerService;
  // (undocumented)
  providerFactories?: ProviderFactories;
  // (undocumented)
  tokenFactoryAlgorithm?: string;
  // (undocumented)
  tokenManager: TokenManager;
}

// @public (undocumented)
export type SamlAuthResult = {
  fullProfile: any;
};

// @public @deprecated (undocumented)
export type SignInInfo<TAuthResult> = SignInInfo_2<TAuthResult>;

// @public @deprecated (undocumented)
export type SignInResolver<TAuthResult> = SignInResolver_2<TAuthResult>;

// @public @deprecated (undocumented)
export type StateEncoder = (req: OAuthStartRequest) => Promise<{
  encodedState: string;
}>;

// @public @deprecated (undocumented)
export type TokenParams = TokenParams_2;

// @public @deprecated (undocumented)
export const verifyNonce: (req: express.Request, providerId: string) => void;

// @public @deprecated (undocumented)
export type WebMessageResponse = WebMessageResponse_2;
```
